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A Voting System with full Accountability 

Gorm Salomonsert* Jens Groth, March 4 2003. 




An election poses a lot of challenges on the system used for voting, whether this is a 
manual system, a mechanical one or an electronic one. Traxlitiionally manual systems 
have been used and are still widely used. For some decades mechanical systems have 
been used in some countries, and in recent years electronic voting systems have had 
their breakthrough in a numW of countries. Common to all is that very high 
standards have to be set on the security of the process of votings such that voters can 
be confident that the result of the election correctly reflects the votes cast, whereas at 
the same time secrecy of the votes cast shall be ensured. In fact a long list of 
apparently conflicting requirements can be stated* 

Common for the systems used for general elections in a larger scale today is that they 
duplicate the basic principles of the manual election, which we will briefly review, A 
voter enters a voting site, where his identity is checked, after which he receives a 
ballot and enters a voting booth where he can vote in privacy. He then folds his ballot 
such that nobody can see what he has voted, enters the public sphere again and drops 
his ballot into a container. The whole process is monitored by a sufficiently large and 
diverse group of people such that it can be trusted not to cheat. A number of special 
eases may exist in the process. For example the first voter may have the opportunity 
to verify that the container is initially empty and it may be possible to regret the 
choice in the time span between entering the choice on the ballot and dropping it into 
the container. After the election the votes are counted. Throughout the whole process 
it is ensured that at every step everything is monHored by a group of people 
sufficiently large and diverse to be trusted. 

Mechanical and electronic voting systems follow the same principles. In feet it seems 
that the core element in the design of such systems is that the process shall be changed 
as little as possible when introducing a new system. For example DRE (Direct 
Recording Engine) e-voting systems, store individual votes on a memory card such 
that they can be counted afterwards instead of just keeping track on the statistics to be 
reported. 

However, when using electronic devices a number of properties of the original 
process are altered in disfavour of the security despite that the process is kept fixed. Ih 
particular the following properties are always lacking unless great care is taken: 

a) The voter is no longer able to see that what he enters on the machine is 
actually what is recorded* 

b) The officials monitoring the process are no longer able to see that one vote is 
recorded for each voter. 

c) The monitoring of the counting process is no longer efficient since nobody can 
see what really happens during counting. 
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This has been known for many years ia academic circles and has led to a * umber of 
initiatives: 

1 ) Some have tried to inform the public and decision makers about the situation 
and have been driving a debate that has recently been rather heated as DRE 
machines have become more widespread. 

2) Some have developed the technology for dealing with the new challenges 
posed by electronic voting system. This has been done as basic research in 
universities worldwide and in applied research projects like the e»Vote (1ST 
2000-29518, http://www. mstore.CT/evote> and Cybervote (IST-1 999-20338, 
http://www.eucybervote.org) projects as well as in private high tech 
companies like Cryptomathic. 

For background prior art references can be made to the following: 

[DGS] Ivan Damg&rd, Jens Groth, Germ Salomonsen '"The Theory and 
Implementation of an Electronic Voting System", hi Gritzalis, D. (Ed.) Secure 
Electronic Voting, Kluwer Academic Publishers, Boston, USA, November 2002 
(ISBN 1-4020-7301-1) 

[DJ01] Ivan Dam gird and Mads Junk. "A generalisation, a simplification and some 
applications of Pailliers public-key system with apphcations to electronic voting". In 
Public Key Cryptography '01, pages 1 19-136. Sprjtnger-Verlag, LNCS 1992, 2001. 

[NEF01] C. Andrew Neff, W A verifiable secret shuffle and its apphcations to e- 
voting". hi proceedings of the 8'th ACM conference on Computer and 
Communications Security, pages 116-125. ACM Press, 2001. 

[NEF03J C Andrew Neff "Election Confidence". Version 6, December 2003. 
Preprint available on www.votehere.ne t. 

[BGR] Mihir Bellare, Juan A. Garay and Tal Rabin : "Fast Batch Verification for 
Modular Exponentiation and Digital Signatures", EUROCRYPT 1998. LNCS series 
1403, Springer Verlag, pages 236-250. 

[DF] Ivan Damgard and Eiichiro Fuiisaki : "A Statistically-Hidihg Integer 
Commitment Scheme Based on Groups with Bidden Order", ASIACRYPT 2002 
LNCS series 2501, Springer Verlag, pages 125-142 " " ' 

[F] Jun Furukawa: "Efficient, Verifiable Shuffle Decryption and Its Requirement of 
StSSS ^' FttbMc &&mmBi2m, LNCS series, Springer Verlag, pages 

* 

[FMMOS] Jun Furukawa, Hiroshi Mivauchi, Kengo Mori. Satoshi Qbana and Kazue 
Sako: An Implementation of a Universally Verifiable Electronic Voting Scheme 
based on Shuffling", Financial Crypto ^pljy2002, LNCS series 2357, Springer 
Verlag, pages 16-30. ' F 5 

jTS] Furukawa and Sako; "An efficient scheme for proving a shuffle" CRYPTO 
2001, LNCS series 2139, Springer Verlag, pages 36S-387. 
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ro] Jem Groth: "A Verifiable Secret Shuffle of Homomorptte En^tions'^ PuMk 
K«vfWo g raohv20P3, LNCS series 2567, Springer Verlag, pages 145-160 

FGMY] Juan A. Gamy, Philip T). MacKenzie and Ke_Yjag: "Slrengthening Zero- 
Knowledge Protocols Using Signatures", ?\ TR OCRYPT 2003 . LNCS senes 2656, 
Springer Verlag, pages 177-194. 

[Npatent] Andrew Neff, VoteHere: "Verifiable secret shuffles of encrypted data, such 
as ElGamal encrypted data for secure multi-authority elections , patent application 

2002. 

Pursuers of 1) require printed ballots to be produced for voters to watch and I store , die 
traditional way such that they can be used for recounting. The pilot system developed 
and tested in the e-Vote project uses digitally signed, encrypted votes, such that it is 
ensured that there is control of, who cast each individual vote. It also utilizes ai secure 
protocol based on homomorphic encryption and zero-knowledge proofs (see [DtjbJ, 
FDJ011) to ensure that the counting process is universally verifiable while preserving 
secrecy. Universally verifiable means that it is possible for an independent observer to 
verify that the votes are authentic, correctly formatted and have been counted 
correctly without breaking the secrecy of the election. However, it does not deal 
directly with the issue mentioned in a), that each voter shall be able to verify that his 
choice is actually what is recorded in his vote . 

One purpose of embodiments of the present system is to bring together die two 
approaches in a novel way by outlining how an e-voting system can be designed with 
existing technology such that 

L The properties of embodiments of the system are such that none of the issues a), 

b) or c) constitutes a significant security treat 
n Several counting and recounting procedures are possible with different 

properties with respect to security and cost and where the highest obtainable 
level of integrity of me result of the election is considerably higher than for 
traditional manual elections. 

Thus in a relaxed political climate costs can be saved and final results of the election 
can be made available quickly, whereas in a tense political climate, where current 
manual procedures are insufficient to ensure integrity of elections, the level of 
security can be increased. 



1 Votes whh the c-Vote system are generated and signed in an applet on the PC of the voter, so a) can 
be ensured by intercepting the applet and verifying that it performs coirfteHy Coy means of installing 
third-party software). However, this Only works For Internet voting and it comes together with the 
expense that recelpt-fieeness is only conditionally possible with Internet voting. 
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What is claimed is: 

1. A voting system feature comprising: at least one device used for voting entering 
preferably (the same or associated information) on a printed ballot and an encrypted 
electronic ballot linking the two to each other; preferably. Each voter will be allowed 
to watch the content of the paper ballot to verify that it contains his choices 
preferably. At least one instance making available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to the public or to 
selected entities; preferably. A procedure selecting a random sample of electronic 
ballots and verifying that their content correspond to the content of corresponding 
paper ballots with the purpose of establishing confidence that the electronic ballots 
have not been subjected to large-scale tampering. 

2. A voting system feature comprising: at least one device used for voting entering 
preferably (the same or associated information) on a printed ballot and an encrypted 
electronic ballot linking the two to each other; preferably. Each voter will be allowed 
to watch the content of the paper ballot to verify that it contains his choices 
preferably. At least one instance making available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to the public or to 
selected entities; preferably. A procedure selecting a random sample of electronic 
ballots and verifying that their content correspond to the content of corresponding 
paper ballots with the purpose of establishing a deterrent against tampering with the 
voting device in individual election districts. 

3. A device for collecting ballots comprising: two or more containers for collecting 
filled ballots and a user interface allowing a voter to make aware of his intention to 
submit his ballot arranged in such a way that it is decided at random at the time of 
ballot submission whether ballots shall be checked* This works in the way that it is by 
mechanical means ensured that ballots selected for checking at random are entered in 
a particular subset of containers* 

4. A protocol for producing a zero-knowledge proof of a correctly performed 
combination of permuting and partial decryption of homomorphicaliy encrypted 
messages and preferably the non-interactive versions of the protocol obtained by 

using the Fiat-Shamir heuristic. 

5. A homomorphic commitment system that performs efficiently by making use of 
subgroups of Zxi* for the message space and/or the randomization space. 

6. A protocol comprising: use of a homomorphic verification system for verifying the 
correctness of the result of repeatedly permuting and re-encrypting and finally 
decrypting homomorphicaliy encrypted content. 

7. A protocol comprising: use qf 3. homomorphic verification system for verifying the 
correctness of the write-in votes obtained by repeatedly permuting and re^encrypting 
and finally decrypting homomorphicaliy encrypted votes, 

8. A protocol comprising: use of a homomorphic verification system for verifying the 
correctness of the information linking electronic and printed ballots obtained by 



V:\Cambridge Cases\PJM\*3BP290l S5^riority.DQcuni$nt.d«: 



25-MRR-2004 16=39 FROM MARKS & CLERK 



TO PAT OFF GB 



P. 09 



GBP290155 



PageS 




repeatedly permuting and re-encrypting and finally decrypting homomorphically 
encrypted votes. 

Aspects of the invention provide data processing apparatus and. computer program 
code (which may be distributed over a network), in particular on a earner, to 
implement the above described system and protocols. 

We are thus offering a new solution that allows for faster counting, cost savings and 
increased service to voters compared to manual elections, but with a higher level ot 
security. We must stress that aspects of the invention can be used in many 
embodiments There are many technologies available for dealing with the issues a) 
and b) and many possible embodiments which we will not exhaustively list m this 
document. In particular all of the tectoologies "homomorpmc eneryptoon , MIX 
nets'* and "digital signatures" can be replaced by other technologies m the 
embodiments without changing the use of claim 1, 2 and 3. 

Overview 

When we discuss technologies suitable for protecting elections it will be technologies 
that base their trust on mathematics and suitably composed groups of people being 
unable to cooperate to cheat rather than in elements like trust in the quality of code or 
ability to keep out intruders completely. For example a digital signature cannot be 
forged by malicious software that has access to data that can be signed unless this 
software also has access to a particular private key. This is contrary to other sorts of 
protection, like a log on a local machine tiaat can normally easBy be forged by 
malicious software. Thus the protection we discuss is protection against adversaries 
with access to modifying any part of the software they like with very few exceptions 
(software for key generation is an example). When we state that a device must be 
trusted to do or not to do something, we mean that we rely on that the software and 
hardware of the device ensures that the device has the intended behaviour. The precise 
level of security for the devices used for casting votes, we are aiming at, is: 

- The devices will be trusted not to give away the choices of individual 
voters in any other ways than the ones specified* 

_ However, we will assume that relevant adversaries have access to 
modifying the software and hardware of the devices whenever we 
discuss the highest levels of security supported for protecting against 
tampering with the choices of the voters. 

This is consistent with the fact that the latter type of attack has the highest potential 
for producing benefits for adversaries, and with that also manual voting allows some 
attacks, like the use of hidden cameras or comparison of fingerprints on voter cards 
and ballots, for breaking the secrecy. 

Two technologies for counting secret encrypted and signed votes (the list is not 
exhaustive, the ones mentioned are the ones we are particularly interested in making 
use Of in our invention) are: . 

- Homomorphic encryption and zero-knowledge proofs combined with a 
secret sharing mechanism. The vote is encrypted and a zero-knowledge 
proof is attached proving that the encrypted vote is an encryption of a 
correct vote. Because the crypto system is homomorphic the votes with 
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correct sicro-knowledgs proofs can be counted on encrypted form 
without ever decrypting a vote. Finally, the key fox decrypting the 
result is secret shared between a sufficiently large and diverse group of 
people such that it can be trusted not to decrypt individual votes. 
- MIX nets. A number of servers (shuffles) one after another re-encrypts 
encrypted votes without being able to decrypt them and passes them on 
in a different, random order together with a zero-knowledge proof (hat 
only the order but not the content of the encrypted votes ha$ been 
modified. If several shuffles are used one after another and are 
operated by different organisations with conflicting interests, it is 
trusted that the association between the original ordering of the votes 
and the new ordering of differently encrypted votes has been lost 
Further, the zero-knowledge proofs ensure that the content of the votes 
has not been altered Again a secret sharing mechanism can be used for 
decryption. 

Common to the two approaches is that they require the use of sophisticated zero- 
knowledge proofs and that crypto systems need to satisfy special properties in order to 
be used for the protocols. Until recently protocols of this type were too slow to be 
applied in practice, but currently: 

Cryptomathic has developed an efficient homomorphic encryption 
protocol and an efficient MIX net protocol. Both can be implemented 
over the same homomorphic crypto system. 

We notice that the two technologies have different properties: 

- Counting including verification can be parallelised arbitrarily for 
homomorphic encryption* so it scales well and can produce a fast 
result. Further it is easy to trace back votes that are incorrectly 
formatted electronic votes to their origin with this technology (this 
should never happen unless machines used for voting are 
malfunctioning or tampered with - instead there should be a correctly 
formatted invalid choice). The disadvantage is that a special zero- 
knowledge proof must be designed for each voting rule. 

- MIX nets are more flexible when it comes to implementing different 
voting protocols because the same zero-knowledge proofs can be used 
for all voting rules. 

In one of the proposed embodiments of our invention we will combine both 
technologies in order to get the best properties from both technologies. 

The technologies discussed are sufficient to deal with the issues b) and c) mentioned 
in the introduction* so it remains to discuss the issue a). By having ballots printed 
voters are provided with the service that they can sec what they have voted on paper, 
and they have the same level of certainty as at a manual election, that their vote will 
count, provided that a manual recount actually takes place. The idea, as already 
hinted, however has a number of shortcomings in its pure form: 
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- Almost no information is gained by checking a few votes in a district. 
The only action that makes sense is to make total recounts in a 
selection of districts. ' . 

- However, if let 5 s say a manual recount takes place m 10 A ot the 
districts/this gives a 10% chance of being taken for somebody 
manipulating votes in a particular district for a particular election. This 
may well be a chance worth taking for a politician facing a rumed 
carrier if he looses. The same can be said for a 30% car a 50% chance. 

Consequently quite comprehensive recounting is necessary in order to ensure that the 
mechanism works as intended - not only by revealing attempted fraud, but also by 
preventing attempts of fraud from happening by acting as a deterrent. Embodiments 
of an aspect of our invention have the following core properties: 

- Electronic votes contain encrypted information identifying the manual 
vote and preferably the election district 

- The electronic votes can be detached from the identity of the voter by 
means of a MIX net or a similar mechanism in a secure way. After 
being detached ftom the identities of the voters, they are decrypted. 

- We can pick a random sample of all the electronic votes of an arbitrary 
size. 

Say drat we want to ensure with 99% probability that at most 1% of the electronic 
votes are tampered with, i.e. contain different choices than the ones entered by the 
voters. Then we pick 459 random electronic votes. For each of ttiose, if at least 1% of 
the electronic votes contain different choices than the corresponding manual votes, it 
ha? less than a 99% chance of passing the test of being compared to the corresponding 
manual vote. Consequently there is a probability of less than 0.99 453 = 0.009921 that 
all of them pass the test. 

It is clear that letting electronic ballots identify non-existing printed ballots will be 
discovered. However, letting more electronic ballots identify the same printed ballot 
is a possible attack unless care is taken. The procedure that must be earned out in the 
individual districts is therefore to run through all printed ballots in the district to 
establish that there is exactly one printed ballot with the same identification as the 
electronic ballot and that the choices on the printed ballot are the same as on the 
electronic one. 

For the ultimate case, a general election in the US say, it means that by manipulating 
459 votes out of maybe 100.000.000 or even 200.000.000 and causing the rather 
simple procedure to happen in 459 randomly chosen election districts, you actually 
get quite confident that no large scale fraud takes place with the electronic votes. And 
this is by carrying out a procedure simpler than counting manually in less than 10 
election districts in each state in average. 
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Comment: Additional information on an electronic ballot can be used for coercion by 
entities with access to decrypted, depersonalised electronic ballots. Therefore the 
information should be represented on the printed ballot in a forro difficult to manage 
by voters (not easier to copy than taking a photo of the ballot or essential parts of the 
ballot) and the voter should preferably not be able to influence the information. One 
possibility is to use random data represented as bar-codes on the printed ballots. 

Comment: The way statistics behave when doing different kinds of checking follows 
from elementary mathematics. The low efficiency of the standard scheme of 
producing manual ballots without any other option than doing full recounts for 
election sites or election districts was also noticed in [NEFG3]. However, m [NEF03] 
using printed ballots was seen as opposed to using testing based on providing voters 
with receipts. In particular it is clear that the solutions covered do not have the novel 
property that efficient testing can be done without providing voters with receipts, 
which they may have difficulties with handling and understanding. Instead with 
embodiments of our invention voters are provided with a printed ballot, from which 
they can see directly what they voted. Consequently the usability properties of 
embodiments of our invention are superior compared to systems providing voters with 
receipts. 

This scheme can also be carried out the other way around, in that paper ballots are 
picked and compared to anonymised electronic ballots. This has the advantage that 
less manual work is required. We propose the following scheme; the paper ballots are 
counted, the number is compared to the number of electronic ballots from the district. 
Then some paper ballots are picked at random and it is verified that they correspond 
to electronic ballots and have the same content. If the number of paper ballots and 
electronic ballots are not the same* the paper ballots are counted. The property we are 
aiming at using is that if there is the same number of electronic and paper ballots, and 
a certain number of electronic ballots do not correspond to paper ballots, then the 
same number of paper ballots do not correspond to electronic ballots. Thus* if we 
know that all the paper ballots are different and the number of paper ballots 
correspond to the number of electronic ballots, it is just as efficient to pick random 
paper ballots. 

The procedure described above is efficient for revealing large-scale fraud. However, it 
still suffers from the deficit that it does not efficiently act as a deterrent against fraud 
in individual districts. Before we proceed with describing how to install such a 
deteirent, we will notice the difference between the requirement for having 
confidence in the overall accuracy of a country-wide election and the requirement for 
having a deterrent. The first needs to be established quickly such that the result of the 
election can take effect. For the latter to work, it is however enough that fraud is 
detected with a high probability inside a reasonable time window, for example a few 
months. That means that costs can be kept down when repeating the procedure in 
individual districts by having few MIX nets (and corresponding high-security 
facilities and staff) doing the electronic parts, and by giving districts reasonable 
deadlines for answering results such that they can organise their work efficiently. It 
also has the advantage that the capability of decrypting votes does not have to be 
distributed on too many facilities and persons. 
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We give an example of how an embodiment of another claim of. our invention can act 
as an efficient deterrent. 

Say we carry out the procedure described above with 194 randomly chosen votes in 
each district. Then in each district somebody manipulating 2% 6f the votes will face a 
98% chance 2 that the fraud is detected. If he manipulates 1% of the votes he will face 
an 86% chance that it is detected and if he manipulates 0.5% of the votes he will face 
a 62% chance that it is detected. If he manipulates 0.1% of the votes, he will fece a 
17% chance that it is detected, which is not much, but on the other hand bis chances 
of influencing the outcome of the election by changing 0.1% of the votes are probably 
also not good. If fraud is detected in this way, a manual recount and a police 
investigation can be initiated such that the result of the election can be corrected and 
such that apparently fraudulent candidates and their assistants can be tried m court. 

The number of votes checked and the procedure that takes place in case (hat fraud is 
detected can of course be tuned according to needs. 
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We must expect that both the procedure for creating confidence in the result of the 
election and the deterrent will be used together. Further, this will be done m a manner 
as efficient as possible. We describe a procedure below: 

- At each election site/district there is a PC with a scanner capable of reading the 
infbnnation on the paper ballots linking them to electronic ballots, but not necessarily 
capable of reading what is voted for. The PC is on-line, is running a special 
application and has access to the electronic anonymised votes. 

- The paper ballots are scanned and a program on the PC verifies that all the ballots 
carry different infaimation, that the information corresponds to information on an 
electronic vote and that the number of paper votes is the same as the number of 
electronic votes. 

- A sample of (about 194) randomly chosen votes is collected. For each of those it is 
verified that the electronic vote corresponds to the paper vote. 



Public Key Cryptosystems 

A public key cryptosystem, consists of three algorithms K, E, and D. 

• K is the key generation algorithm and produces a public key* pk, and a secret 
key, sk. 

• E is the encryption algorithm. It takes as input the public key pk and a 
message m. It produces a ciphertext c — Epk(m). 

The algorithm, may be randomized; it generates some random bits and uses 



2 Probabilities axe estimated under the assumption that there are much more than 194 votes. Lower 
number of votes in all cases give Iiigter probability of detection. 
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them in the encryption process. When emphasizing these random bits* we 
write them as an explicit extra input to the encryption algorithm, i*, c - 
Epk(m;r), 

• D is the decryption algorithm. It takes as input the secret key sk and a 
ciphertext c. Using this it produces m = D p ^(c). 



One particular group of public key cryptosystems is ElGamal-style cryptosystems, 

Consider the group Zp , Le.^ the multiplicative group of integers modulo p, where p is 
a prime. Let q be a prime, such that q divides p~l . Then there is & cyclic subgroup G q 
of Zjy* with order q. Let g be a generator for this group, i.e., <g> = G q . 
The key generation algorithm picks primes q, p and a generator g as described above. 
It selects at random an element xeZq and computes h « g* mod p. It outputs public 
key pk = (q 3 p,g s h) and secret key sk = x. 

To encrypt a message m e G q the encryption algorithm picks a random r e and 

returns ciphertext c — (u a v) - E P k(m;r) - (g r mod p, h r m mod p). 

The decryption algorithm on a ciphertext c - (u,v) returns m ~ Dgk(c) = vu x mod p. 

Another variant of the ElGamal cryptosystem uses the group Z^/, where n = pq, and 

p,q are large primes. The multiplicative group Z p z of etemeats computed modulo n 2 

has order n*km(p-l ? q-I), and the element (1+n) has order n in Z*,2\ 

Here the key generation algorithm outputs two elements g,h of order lcm(p-l,q-l), 

1-e., pk = (n,g,h) and the secret key is sk = x, such that h-g x mod n 2 . 

To encrypt a message m e the encryption algorithm picks a random r and " 

computes ciphertext c = E pt (m;r) = (g r mod n z ? h r (l+n) m mod n 2 ). 

On ciphertext 0 = (u,v) the decryption algorithm outputs m - D 55c (c) = ((vu x mod n 2 ) - 

l)/n. 



Please note that ElGamal cryptosystems are homomorphic. Le*, Ep k (m 1 +m2 ;r 1-f r2) = 
E pfc (ml;rl) * Ep k (m2;r2) T 

Common for ElGamal-style cryptosystems is that we can secret share the secret key. 
This means that we can have several parties that each get a share of the secret key, 
and Only by cooperating can they perfbim the decryption operation- This is important 
in voting, where we want to have strong security guarantees that no single party is 
Capable of decrypting a ciphertext containing a voter 3 s vote. 

There are several methods for doing this secret sharing; here we focus only on a 
simple linear methods Let the secret key be x. We pick at random si . .,sk such that x 
= $1 + 9 , .+ sk. Give each party SI,. . . a SKl the secret share si,. . . ? sk ? they now have a 
sharing of the secret key, but no proper subset of the parties can compute the secret 
key. 

As a step in decrypting the ciphertext c = (u,v) we want to compute u* (we will from 
now on not be explicit about the group we are working in, it can be modulo p, modulo 
n ^ or a completely different type of group, for instance one based on elliptic curves). 
The parties S 1 , . . . ,Sn can cooperatively do so. They simply compute ul =» u* 1 , . . . ,uk = 
u* , and publish their decryption shares. Now, anybody can compute vu"* = 
v{ul * . . .*uk) l , and from that extract the message. 
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There is a problem though. Imagine a party Si cheats and supplies an incorrect 
decryption share, hi that ease, we may end up with believing mat the plaintext is 
something completely different from the message that was actually encrypted. ^ 
To solve this we let the key generation algorithm eompute verification keys hi - 
g s ' h k = g s * s and output these together with the public key. We now demand that 
each server S s makes a zero-knowledge proof that m has been computed with the same 
exponent s s as has been used to compute hi. We will explain the notion of zero- 
knowledge proofs later, for now let us say that it proves the correct use of exponent s-„ 
without revealing anything about si. 



Commitments 

A commitment scheme consists of three algorithms K„ C, and V. 

* Ki$ a key generation algorithm that outputs a public key pk. 

♦ C is a commitment algorithm, It takes as input the public key pk and a 
message m. It outputs a commitment c = Cpjt(m). C is a randomized algorithm, 
and when needed we write the random bits used as r, and have c = Cpk(ni;r). 

• V is a verification algorithm that outputs accept or reject It takes as input a 
public key pk, a commitment c, an opening (m,r> It outputs accept if and only 
if c = C P k(m;r). 

For the algorithms K, C, V to constitute a commitment scheme, we require that the 
commitment is hiding and binding. 

Hiding means that from a commitment c it must be infeasible to tell which message m 
is inside it, Hiding comes in two flavors, computational hiding and the stronger 
statistical hiding. A commitment is statistically hiding, when even given infinite 
computing power it is still impossible to tell anything about the message inside the 

commitment* 

Binding means that it is impossible to find a commitment c and two different 
openings (ml,rl) and (m2;r2) such that the verification algtmthm will accept both 
openings. Also the binding property comes in two flavors, computational arcd 
statistical, A commitment is statistically binding if even with infinite computing 
power it is impossible to form a commitment c that can be opened in two different 
ways. 

It is a fact from the cryptographic literature that a commitment cannot both be 
statistically hiding and statistically binding at the same time. It is possible to have 
commitments that are statistically binding and computationally biding, and in fact, the 
ElGamal cryptosystems mentioned above are examples of such commitments. In the 
following, we present three examples of statistically hiding and computationally 
binding commitments. 

Consider again the group Zp*, and the cyclic subgroup G q of order q. Let g,hbe two 
randomly chosen generators for this group, i.e., <g> = <h> = G q . The public key 
output by the key generation algorithm is pk = (q,p 9 g,h)- 

To commit to a message m e Z q we pick at random r s Z H > and let the commitment 
"bee = gTi™ mod p. 

An opening of the commitment c consists of (m,r) 5 and V outputs accept if and only if 
m <s Z q , r e Zq, and c =* gV mod p* 
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Another example of a commitment scheme is the following integer commitment 
scheme. We use the group Zn* ? where n = pq is a product of two primes, such that p-1 
and q-1 do not have any small odd divisors. The key generation algorithm picks two 
squares g 2 h m Zn* at random. 

To commit to an integer m, select r as a random 2|n[-bit number and compute the 
commitment c = C p ic(m;r) = g^™ mod n. 

An opening of the commitment consists of (b>m,r) such that b is a square root of 1, 
and c ~ bg T h m mod n. 

A third example of a commitment scheme is the following. We have some cyclic 
group G and select four random generators gi, g 2 „ hi ? hj for it. The public key is pk = 
(fti. & 3 h],li2). 

To commit to a message m e G, pick n , at random and let the commitment be c = 
(u»v) - C p ,(m;r h r 2 ) - (gl rl g2^ hl^m). 

The opening is (m,r l5 r 3 ), the verification algorithm checks that c = (gl rl g2 rt 5 




An important property of all the above examples of commitment schemes is that they 
are homomotphic, Le„ Cpifytki+m&itt) = C P k(mi;n) * CpkCmi^X or if we prefer 
multiplicative notation for the latter commitment's message space, we have 
Cp^m^m^r^z.s^sg) - Cp^m^r,^) * Cpfc(m 2 ;r 2 ,$ 2 ). 

We can easily extend the commitments to commit to several values at once. Let the 
public key consist of gjii,. , . ? h n . Then we can commit to mi v . as c — 
gTil^.hn™ 

CLAIM 

The following variation of an integer commitment scheme. 

Let n = pq be the product of two primes p and q, Let furthermore, p' ? q* be two primes 

dividing respectively p-1 and q-L Reasonable sizes are |p|=|q[=1500 bits and 

!p'Hq'H20 bits, Both p,q,p 3 and q* must be kept secret Let furthermore, t be an 

integer such that t > jp'Mq'l. For instance we could with the above parameters selects 
t « 300. 

Pick at random g 7 h such that <:g:>==s=;h> are groups of onier p*q\ 
The key generation algorithm outputs the public key pk = (n^g^t). 

To commit to an integer m, pick at random r as a t-bit number. Compute the 
commitment c = C p *(m;r) = gh m mod n. 

To open the commitment reveal the opening (m ? r). The verification algorithm on 
opening (m,r) checks that c = gh m mod n. 

Variations of the scheme: 

As mentioned before it is possible to make a variation of the integer commitment 
scheme that allows for commitment to multiple integers at once. 
One can select p'.,q 3 such that they are composites. It is important, however, that they 
are selected such that it is hard to guess a number N such that p*|N or q'ffrL 
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Note that we deliberately work in a moderately small subgroup of Zn" in order to gain 

better efficiency. . 
This has potential rise in both voting protocols and many other cryptographic 

protocols. 



Zero-knowledge proofe 

A zero-knowledge proof or zero-knowledge argument is an interactive protocol to be 
run between two parties (or in some cases more parties). We call them respectively 
the prover and the verifier. Both of them know some common input x, and now the 
prover wants to convince the verifier that x has some particular property, for instance 
that there exists a witness w such that (x ? w) belongs to some NP-language, To do so, 
they exchange messages according to the zero-knowledge protocol, and in the end, the 
verifier decides whether to accept or reject the statement. 

We call such an interactive protocol a zero-knowledge argument if it has the 
following three properties 

• Completeness: If the prover knows a witness w for the property of x, then he 
can make an honest verifier accept. 

• Soundness: If the statement is false, i.e., no such w exists; any (possibly 
cheating) prover cannot make an honest verifier accept 

• Zero-knowledge: Any (possibly cheating) verifier does not learn anything but 
the veracity of the statement from interacting with an honest prover. 

There are many variations of how to define zero-knowledge proofe and arguments. 
Among them are non-interactive variants, where we instead assume a common 
reference string, chosen with some particular distribution, is available to both prover 
and verifier. Non-interactive zero-knowledge proofs and arguments are publicly 
verifiable. 

Another variation is honest verifier sero-loxowledge, where the zero-knowledge 
property hold$ if the verifier follows the protocol, but may not hold if the verifier 
deviates from the protocol. A stronger version of this is special honest verifier zero- 
knowledge, where the verifiers messages are public coin (i.e.* consists of uniformly 
random bits) and where it is possible to simulate the entire proof (without knowledge 
of the witness w) if we are given in advance the messages (challenges) that the 
verifier sends. 

A popular method for making a special hottest verifier zero-knowledge proof non- 
interactive is the Fiat-Shamir heuristic. In the Fiat-Shamir heuristic, we compute the 
challenges as suitable hash-values. This means that we do not need a verifier to 
choose the challenges. 
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Mix-nets 

Suppose we have a bunch of ciphertexts cl = (ul ? u2) = Epk(mlX. ;. 9 cn = (un,vn) = 
Epk(rnn) r We want to learn the messages ml,. . .,mn> but in a random order, we do not 
want anybody to be able to link messages and ciphertexts. 




A group of servers cooperating to do so is called a mk-net Using ElGamal- 
encryption we can construct a mix-net in a simple manner* Using flxe secret sharing 
described before the servers Si,.. ,,Sk each have a share sl,...,sk of the secret key 
such that x = si -K . .-i-sk. 

Server SI peels off the layer of encryption corresponding to its own secret share, it 
rerandomizes the ciphertexts and outputs them in a permuted order. Le. ? Sl selects a 
permutation 7C, randomizers Rl,. . .JRn and outputs (Ul^g^u^i), Vl= 
(h2* ..*hk) R % 0 Uvd)-*),. . ., (Un-g*% (r]> Vn- (h2*...*Bk)"%ji) u**)- 31 ). 

Server S2 peels off another layer of the encryption corresponding to its secret share, 
Le„ if we call the output from SI (ul,vl) v ,. 5 (unj,vn), then it selects a permutation n } 
randomness RI,. ..,Rn and outputs (Ul-g"^ Vl« (h2^,*hjk) Rl v* 0) u^)"* 1 ),."* 
(Un=g^ (n) , Vn= 0i3*„ ^hkfV^) ft*M^ n ). 

When the last server Sk peels off a layer of the encryption, then VI,. ..,Vn constitute a 
permutation of ml,., .jnn. More precisely, if we call the permutations selected by 
Sl s ., ,,Sk for 7cl ? . ..,71k, and let = 7rl(*.»(7ck(»)„.), then we have 
VI i ^m r ^- ] . . , Vtt=m*o 5> However, only if all servers cooperate will they know tu and 
be able to link messages to their ciphertexts. Conversely, if just a single server is 
honest, then the permutation is secret. 

Mix-nets are useful in voting, since it allows encrypted votes to be decrypted and 
permuted. This way votes can be counted,, but at the same time,, nobody can link 
votears with their votes. 



S h uffle-a nd -decrypt 



The problem in the above mix-net is how to avoid that one of the servers replaces 
encrypted votes with ciphertexts containing false votes. One possible solution to this 
problem is to let each server make a zero-knowledge argument of correctness of the 
shuffle-eund-decrypt operation it performs. 

I.e., call the input (ul,vl),.. . ? (im>vn) and the output (Ul/VHtX^CUn^Vn). 
Furthermore, let g,h and H be public, 

The prover has private input itJU M . .,Rn and s, such that h = g 5 and (Ul^g Rl u„ ( i> VI - 
H^v^jw^u ~ a ) (Un-g^u^nj, Vn= H^v^u^ '% 

CLAIM 

The following method to demonstrate that indeed (ul ? vl) ? ... ? (oft ? v*) ? 

CUl t Vl) v ,.j(Un,Vn) ? g,hjl is on the form described above, without revealing t? 3 
Rl,... 9 Rn and s. 
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We need additional public data in form of public keys for three types of commitment 
schemes. We omit explicitly writing the public keys, and simply write respectively 
meom, commit, and COM for the three commitments. 



Multi-commitment mcom is used for committing to multiple messages at once, in our 
case n messages. Furthermore, it has a homomorphic property. Le,„ 
mcom(ml+Ml v * . f mn+Mn;iH-R) = rncom(ml mnjr) * mconM>ll,.>. ? Mn;R)« 

Commitment scheme commit is used for committing to a single element at a time. It 
too has a homomorphic property commit(m+M;r+R) ^ commit(m;r) * commit(M;R)> 

Finally, we use a base commitment scheme COM> where the homomorphic property 
is COM(mM;r+R,s+S) - COM(m;r 3 s) * COM<M;R,S). 



The protocol proceeds in 7 steps: 

L The prover picks rs at random and computes cs - mcGmOr(l),. i*.,rc(n);rs)* He 
sends cs to the verifier. 

2. The verifier picks at random tl ^ ? tn and sends them to the prover, 

3 . The prover picks it at random and computes ct = mcorn^i),. * ->t^„);rt)- He 
sends ct to the verifier. 

4. The verifier picks at random and sends them to the prover. 

5 . The prover computes the following: 

For j=l to n: aj - (ft(l) + XtpO)- x) * • „ * (tcQ) + U^® ~ x). 
Picks dl,. . .,dn and rd at random and sets cd = mcom(dl,. ..,dn;rd). 
Picks d at random and sets D = g . 

Picks rl, .. at random and computes ci = commit(d| ;ri), g% - 
commit(d 2 ai;r 2 ) ? . c n « commit^a^i ;m). Picks r at random and sets c - 
commit(0;r). 

Picks R at random and computes U = grUi 1 * . . - *Un* V ■ (hH) 
R Vl d1 *, ..*V n dn (Ui dl *.. .*U™*% and W = (Ui d1 *~ * It*)*. 
Picks Rv and Rw at random and sets Cv = COM(V;Rv) and Cw = 
COM(W;Rw). 

He sends cd, D, cl, . cn, c ? U, Cv, Cw to the verifier. 

6. The verifier picks at random e, e and sends them to the prover, 

7. The prover computes the following: 

fi - efrO) + U*i>- x)+dl 3 . . 4 = e(7i(ii) * Xt <n) ~ x>+dt» and zf= rs+Xrt-Hrd. 

z — r — ef2.-.f n ri - ... - e"r n . 

Z = R- e(Ri(jr(l) + W w0 )-x) + ... + R*(>t(rf> + kt^-x)). 

f = es-KI. 

Zv = bRv+Rw. 

He sends* fj,., . T f n> zf,z ? Z ? f,Zv to the verifier. 
The verifier accepts if all elements belong to the correct groups and have the correct 
size, and the following checks pass: 

Set cx — mcom(x 9 ... 9 x;0} and check that mcom(fl fn;zf) — (c g ctW l ) c Cd- 

Check that commit^Vefi.-fez) - ci" cS2, - fn ...c n ' e "V 

Check that ^U, n ^ *U n fn = (u { l * M -\..n^yu. 
Check that g^= h*D„ 

Check that COM((V! n . . .V^A, *U«*) f (hH)^(Vi x ^ tl '\ . .v^T^Zv) = CVCw 
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The protocol above is public coin, complete, sound and statistical honest verifier zero- 
knowledge. 

Using techniques from [GMY] it is a simple matter to make it statistical zero- 
knowledge. Using the Fiat-Shamir heuristic, i.e., computing the challenges ti v X, 
x 5 s and e as suitable cryptographic hashes it is easy to make the protocol non- 
interactive. This way it can also be made publicly verifiable. 

Using randomization it is possible to speed up the verification process, see [DGS] and 
[BGR] for comments on batching techniques. It is furthermore well known that 
various techniques for fast multiple exponentiation exist 
For instance we can pick y at random and check whether COM( 

= C v e Cw* This saves n exponentiations. 




Efficient proofs for proving correctness of decryption are well known in the 
cryptographic literature. Likewise, many proofs of correctness of a shuffle exist 
[F5,G,NEF01,Npatent], embodiments of our proposed shuffle-and-decrypt proof are 
zero-knowledge and more efficient than previous proofs. 

Shuffle-and-decrypt proofs can be used in anonymization protocols, voting protocols 
i$ one particular instance of protocols where anonymization is needed. 



Optimized MIX nets 

A traditional MIX net consists of a number of shuffle servers, each refreshing the 
randomness part of the encryption of encrypted votes, each permuting the votes and 
each producing a zero-knowledge proof that their output is a permutation and re- 
encryption of the input. Li the final step the votes must be decrypted and zero- 
knowledge proofs must be included that the votes have been decrypted correctly. The 
correctness of the result of the election can be verified by an external audit facility, 
which verifies correctness of the counting by inspecting the input, output and zero- 
knowledge proofs of each server. 
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A Mix net. The S servers re-encrypt (refreshes randomness) and permutes votes, 
whereas the S 9 server decrypts votes. All provide zero-knowledge proofs that 
they have done their tasks* correctly. 

It is not desirable that the private key used for decryption is in Hie possession of only 
one entity. Therefore S* should consist of several entities* which secret-share the 
private key of the election. However this solution is impractical 

The [DGS] crypto system is special since it is ElGamal style. It is thus possible to 
share the secret key X as a sum of keys Xi + . . . + X m> where each Xi is known to one 
shuffle (h ~ g x in the system, the pair (g 9 h) is the public key, whereas X is the secret 
key). 

Each shuffle can then partially decrypt, re-randomize and make a shuffle proof. 
The mechanism for partial decryption and ^randomization is: 
(g^g r ? (l+n) v h 1 ) -> <BJtf*w tf*. (l+n) v (h g x xT\ 

where v is the vote including marking with correspondence to a manual vote, r is the 
original randomness, R is new randomness, g is a generator, h = g x and (1 -Hi) is a 
special element generating a group with an efficient discrete logarithm. 

We will arrange embodiments of our voting system such that each shuffle partially 
decrypts the votes using its share of the secret key. The final server completes the 
decryption of the votes and produce zero-knowledge proofs of the correctness of the 
decryptions. In this way we will not need additional entities in order to perform the 
decryption securely, Two different types of embodiments using this type of 

encryption are possible. 

- Embodyments where the shuffles perform zero -knowledge proofe of 
the correctness of their actions and the keys for die input and output 
encryptions axe different 

- Embodyments where the verification of correctness of votes and the 
computation of the result is done out of band using homomorphic 
encryption properties. We will provide an example embodiment of our 
invention of this type, (In this case the maximal security is obtained 
with 3 shuffle servers and a server for decrypting the result Three 
servers need to cooperate to break the secrecy in this case. We do not 
consider this to be a large problem since three shuffle servers is the 
natural choice). 



A naiVe MIX net implementation is not very fast. However, doing zero -knowledge 

_ _ _ m . * m i ■ ■ _ ■ 





n 


ill 


I 



- Partially decrypting in each shuffle and not providing zero-knowledge proofs 
gives a factor of about 3. 

- Partial decryption and rerandomization of votes can be parallelized 
arbitrarily. This gives an improvement of performance by a factor of 5-10. 
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- The order in which the servers process each vote need not be the same for all 
votes. For example if there are three servers performing re-encryption, the 
votes can be distributed in three pools depending on their election district 
(since the result will normally be specified out for election districts, 
permutations between election districts are not relevant) and the pools are 
rotated between the re-encrypting servers xmtil each vote has been once at each 
server. This gives a factor of about 3 compared to naively letting the first 
server finish its work before the next server starts. 

- If g is chosen in a subgroup of small order with elements that are 
indistinguishable from elements of the whole of Z D * n *, randomness and keys 
may be chosen shorter. Such optimisations are known for EiGamal over a 
prime and are also possible with ElGamaJ over a RSA modulus. It may give a 
factor 2-4 depending on the size of the RSA modulus of the crypto system. 

All in all this means that detachment of identities from votes can be performed about 
45-90 times faster than for a naive MIX net implementation. The final decryption of 
votes can also be parallelized arbitrarily. 



Attacks against the Scheme. 

In order for a MIX net to have optimal security properties it is necess&iy that each 
shuffle server verifies the aero-knowledge proofs of the predecessors before it 
performs its own MIX. As we have discussed this is not optimal with respect to 
performance, so it is fair to provide an account of the attacks made possible by not 
letting this verification take place. 

If we count the votes by an out of band method, we can be sure that it will be 
discovered if the result of the election is altered. In the embodiment we will provide 
such a count is done securely using a homomorphic count. Thus we will have full 
security when it comes to making sure that the result of the election is correct. 

However, some attacks against the secrecy of the election are possible. Since the 
crypto-system is homomorphic, the first S server can add numbers to votes and it can 
multiply the votes by a constant factor, this can normally be done in a way such that 
the vote as well as the number added can be separated from each other when the vote 
is decrypted. We will say that the encrypted votes are marked. Depending on which 
servers the first S server cooperates with, different properties of the attack are 
possible. 

- If the first S server acts alone, the decrypting server will discover the 
fraud but also be presented for the association between identities of 
voters and votes cast If the decrypting server is honest* not 
compromised and checks whether votes are correctly formatted before 
they are published, the anonymity of the election will not be broken. 
Further, the fraud will be detected and a delayed count can take place 
with the first S server replaced. 

If the first S server and the decrypting server work together, they will 

together be able to break the secrecy of the election completely. 

Because of the zero-knowledge proofs of correct decryption of votes, 
the fraud will be detected. 
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- If the first S server and the decrypting server work together with all 
external audit facilities used, the abovementioned fraud need not be 
detected. (The decrypting server can in this case clean the votes before 
it publishes them and provide wrong zero4oiowledge proofs that the 
audit facilities will let through undetected,) 

- If the first S server and the decrypting server wotk together with the 
last S server, they will be able to break the secrecy together without 
being detected. (The decrypting server decrypts votes, sends them back 
to the last S server, which cleans its encrypted output for the marks and 
submits a new, correct output.) 

The basic properties are that two servers need to cooperate in order to break the 
secrecy, while accepting that their fraud will be detected* Three entities need to work 
together in order to break the secrecy without being detected. This can be improved 
on slightly by letting either the first or the last S server carry out a shuffle proof- 
In the case, where we have two S servers and one decrypting server we see that there 
is no real loss of security. The two S senders could anyway break the secrecy by 
interchanging permutations. The first attack also has the equivalent that one of the S 
servers submits its permutation in clear text to the other S server, this will be 
discovered by the other S server, which will (unwillingly) be able to break the 
secrecy. 



Write-In Candidates 

In the US and some other countries it is common to use write-in candidates. That 
means that it is possible to vote for a candidate not on the list. This cannot be ignored 
for embodiments of systems to be applied in practice. 

MIX nets can handle write-in candidates without problems, whereas homomorphic 
encryption can't deal with write-in candidates. Below we describe how homomorphic 
"encryption' can however be used to prove that a list of write-in candidates is correct- 
First we give some background on commitment systems: 

A verification system is a computationally hiding commitment system that is further 
supplied with a private key that breaks the computationally hiding property without 
breaking the commitment system properties. That means that a person in possession 
of a secret key X for the verification system will be able to verify a claim that a given 
commitment contains a given message without being provided with an opening of the 
commitment, However, knowledge of X will not provide any knowledge at ail about 
the cipher- text space of the commitment system. In particular, the cipher-text Space 
observed by a person with knowledge of X may appear to be an infinitely large space 
like Z just as if the person had not been in possession of X. 

A homomorphic verification system is a verification system for which the underlying 
commitment system is homomorphic. 
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Example: Consider Z R , where n is an RSA modulus with unknown factorization. Pick 
generators f and h of Z n *. and set g = f x for a. randomly chosen X- We define the 
ElGamal style homomorphic system 



Then V is a homomorphic commitment system and X is the secret key that breaks the 
computationally hiding property. 

Please notice that V is not a crypto system. The discrete logarithm in Z n cannot be 
computed efficiently, so decryption is impossible if n is a large RSA modulus* Xn foot, 
if decryption were possible in general, the real message space would be known, which 
would imply breaking the RSA modulus, which is clearly not possible from the 
information given. Also in this way we see that Hie message space is Z ? so the basic 
properties of the commitment systems are preserved. 

In short we observe that this system has the property that the message space is all of 
Z, that the system is computationally hiding for an adversary without knowledge of 
the secret key a but entities with knowledge of the secret key are able to verify a claim 
efficiently that a commitment is a commitment to a particular value. Further, the 
private key can be secret shared like for other ElGamal style systems. 

We remark that cryptographic primitives with the same properties as verification 
systems but without the homomorphic property axe easy to construct from standard 
cryptographic primitives. For example one can take a hash function H with 16 byte 
output, consider the hash value H(m) as an AES key> use this key to encrypt a fixed 
value and finally encrypting the result using a public RSA key. This primitive allows 
persons in possession of the corresponding private RSA key to verify whether it was 
computed on a fixed value whereas it is computationally hiding for persons not in 
possession of the private key. Such a primitive could for example be used for time- 
stamping systems that allow only particular entities to verify time-stamps. 

One novel aspect of embodiments of our invention of homomorphic verification 
systems is therefore the ability to verify several claims in one combined operation 
while keeping some properties of the individual claims secret In the novel 
applications for voting systems we shall see* it will be the origin of the individual 
messages. 

Claim; Usf-fif^^^ 

k ^-^enidic.^ltiput teveafii^^ 

produciwg:the messages each choose jpfs^rabd^^ 

submit m^to^ entity <enfify^ another 

entity (entity B) in such a way that it is properly authenticated. Tfte aiit^licity tif the 
{mi} is verified by having entity :B submitting^n V(e j , r i ) inj ' to ^ entity A, iwhich 
computes C = n V(m 4 e js , PiFV^j, r^K Finally a trusted entity, whick toowsX, 
verifies that G is a cornnutmenti to.zerp. 

Let E denote a homomorphic crypto system. The implementation in the context of a 
voting system can be done as follows (for simplicity we use V as commitment system 
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also, in practice some commitments would be done in a simpler system, which is 
preferably statistically hiding): 

- Let v be the vote, v=SSj M J Some indices j represent write-in votes, 
whereas Others represent candidate or list votes. M = p is a square of a 
prime larger than the number of voters, (See [DOS], [DJ01]). 

- Submit E(v), V(28j p 1 ) together with a non-interactive zero-knowledge 
proof of equivalence between the two and a non-interactive zerO- 
knowledge proof that the vote conforms with the rules of the election 

(see [DGS], [DJ01]). 

- Let m be a write-in vote corresponding to index It. Submit ECm), V(m) 
together with a non-interactive zero-knowledge proof of equivalence of 
E(m) and V(m) and a non-interactive zero-knowledge proof that either 
m=0 or 5 k - 1. (This can be done by decomposing V(£5j p 1 ) into two 
commitments Vj - V(8 U p k ) and v 2 =V(2j * Sj p*) 4 proving that 
either vi or V(-p k ) V! is a commitment to zero and proving that the 
content of either V(m) or VC-p") v, is a commitment to zero. Such 

proofs are standard.) 

- Pick a random number and submit V(e,n) and V(me*) together with 
a multiplication proof that the content of V(me ffl ) is the product of the 
content of V(e m ) and V(m). 

- Sign the entire vote including all proofs. 

Notice that the number e m will never become known to anybody since no encryption 
of it is submitted. 

Now say that we count the votes by using the homomoiphic property and decrypt the 
result. By using the homomorphic property we get the encryption: 

V! - V(S me„D - n VCme^. 

If we also use a 'MIX net', we get the individual numbers m and Vie^ coupled in 
pairs but detached from the identities of the voters. Thus we may compute 

V 2 - V(2 me™) = IT V(e m ) ra . 

Using the secret key X, secret shared between the same persons that share the private 
key for the crypto system (homomorphic sharing, not the sharing between 'MIX' net 
servers), we can check that Vj and V 2 have the same content. If the e m were chosen 
large and random, mere is in practice no way to fake this. 

Claim:. Use a hormorohio crypto .syitfem-, forcx^l^l^W^^^^^S 
a homomorphic property to check the write-in votes ■fcoJbw^fi&P^W 1 '*' 

Claim: Also use-a-hdrmorpWc •crypto. sy^em,,for, eiramplfeShe 'ttfprmnUfam^m 
me'way : that : ali votes are tested as wri^-in.vofeSiLfe-1he^;ar?.irto' zerorPiowledge 
proofs of :'coirecmess of normal votes, only use of lMs.ni^hanifiim. 

Claim: Also.use a hbrmorphio. crypto; systeari,, foj : e^^e).^^V»?^W^% 
verifying c^irictpess 6t docrypWmfd^ 
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Attacks against the Scheme. 

If the machines from where voters vote leak the e, it may be possible for the last 
Shuffle server and the decrypting server together to produce different nTs Notice 
however that this requires three cooperating entities and will with a high probability 
be detected by the tests against paper ballots in our invention. 

Also some attacks against Ihe secrecy of the election are possible. The first S server 
can replace E(m,) and Vfe) in some ways: 

- Replaced by E(mj) H and V(e s ) 2 or by higher powers of 34 and 2 If 
wnte-in votes are published no matter whether they make sense or not, 
or if the first S server works together with the decryption server, this 
can be used to check what individual voters voted. This will be ' 
detected unless further the last S server is also involved in the fiaud 

- Replaced by E(mj) 3 E(-m 0 ) and V(b0. This can be done and will pass 
all tests provided that the first S server correctly guesses the content of 
each vote it tampers with. 

The last attack is potentially rather serious because me first S server can be buying 
votes and use it for verifying that the vote-sellers deliver. Consequently, as long a? 
vote-sellers are honest this vote-buying will not be detected. However, if a vote-seller 
does not deliver, the fraud will be detected- This attack (and similar ones with 
different powers than 2) can be made mfeasible by including a few random bits in 
each vote at a specific location. 

Again we conclude that whereas this is not quite as secure as a MIX net where all 
shuffle-proofs of predecessors are verified before the next shuffle server starts attacks 

* h'gh prebabilily whereas attacks against the secrecy of the election 

U C P J ? u ? ■ f " S dlscovered require at least two cooperating entities if the 
votes are enhanced with a few random bits. 

Signing Votes 



digital signatures so the scope of the claims in this document is independent 
emborS^e'ml 8 neverflieless motivate &e broach we have taken in our 

SilUSl'SSS *? encr *P ted votes are digitally signed such that there is 100% 
accountability about exactly where each electronic vote came from. Some pilot 
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systems b&ve attempted to use chip cards 3 for that purpose, but face the difficulty that 
chip cards are expensive and that chip cards with signing keys are not widespread. 

The alternatives to using a portable device like a chip card to stars the private keys of 
the voter on are to: 



Not store the private key. 

Store the private key in a non-portable device. 



The first option is taken in the e-Vote project, where the Internet-voting pilot system 
works in the way that a public/private key pair is generated in an applet running on 
the computer of the voter, A certificate on the public key is then issued on the fly 
based on credentials that the voter receives by mail such that the vote can be properly 
signed. Depending on the procedures applied for distributing the credentials and the 
properties* configuration and operation of the on-lins CA ? this may be a legally 
binding signature. By using this mechanism the e-Vote system is optimal in the sense 
that it uses the simplest and cheapest possible mechanism for creating legally binding 
signatures on encrypted electronic votes. 

For an e-voting system that takes place at election sites it is however unacceptable 
that the devices used for casting votes store the private key of the voter (when also, 
supposedly, only for a short time). The remaining option is thus to store the private 
key in mother, non-portable device. Such a device - which we call the Sigtter - is 
described in our patent application PCT/GB02/03707. The Signer will then be 
operated at central locations different from election sites. Digital signatures are 
produced by the Signer on the basis of credentials provided by the voters, and each 
digital signature is logged by the Signer, 

It is strongly preferable that two-factor authentication is used for voting 4 . One factor 
is used in the public sphere, such that vote-buying by buying credentials can be 
prevented. The other factor is used in privacy when the vote is cast, such that 
accountability is assured. The Signer is designed to deal with two-factor 
authentication in a highly secure and tamper resistant way since it is distributed m two 
servers that each know of one factor of the authentication. 

We conclude that circumstance dictate the Signer approach to be the preferred 
solution, both cost-efficient and secure to use. However, if the Signer is used it is 
sufficient that each voter receives a voter card by mail as usual with two 
authentication factors printed on it in order to produce digital signatures. 

Use of the Signer preferably requires the e- Voting system to be on-line. However the 
security 5 does not rely on confidence in the device used for casting votes and printed 
ballots may serve as backup in case of lacking on-line availability". 

II I I " ■■" ■ ■ II .. 

The Cybfirvot© project is an example. DRE systems also use chip cards, but in a different way that is 
not related to digital signatures and does not provide the accountability we are discussing. 

4 We preserve the option that the voter receives both factor in one letter. This is not really a problem 
since the identity of the voter can be checked when giving off the first factor (with the same level of 
scrutiny that is used for manual elections, that differs a lot from country to country). The central point 
is that vote-buying must be prevented by having a public and a private authentication factor. 

5 At least security against undesired influence on the outcome of elections. 
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Example Embodiments 

This section describes how embodiments can be made. First we give two examples of 
how to encrypt information linking electronic and paper ballots 

1) Enlarge homomorphically encrypted votes (generalized Paillier or Damgard- 
Groth such that the plain-text space is Zns+l instead of Z B s, Represent (vote 
manual ballot) as vote + n s (manual ballot). Project the encrypted vote to 2^+1 
before doing the zero-knowledge proof of correctness of the vote. 

2) Use two homomorphic encryption keys with orders of clear-text spaces and 
ciphertext spaces mutually prime for letting the product have decent properties 
again. D<? homomorphic encryption proofs in the vote space only but do the 

nBt proof ta * e P radu <* space (if a MIX net proof is done) 
We describe a realisation below that is as simple as possible. This system is an 
example of a traditional MIX net system enhanced with additional information linking 
electronic ballots and paper ballots : 
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We briefly describe the individual components: 



- The "Registration Facility" is a public sector system for keeping track 
on the eligible voters. The registration facility interfaces with the 
Signer for registering voters for the system. 

- The Signer is the signature server referred to above, which is used for 
keeping track on voter credentials and voter identities in the voting 
system and for signing electronic votes- When voters are registered on 
the Signer, the Signer registers them at a CA for certification. The 
Signer further sends credentials to the voters and make available 
functions for disabling voters who cease to be eligible or loose their 
credentials. 

- The CA issues certificates on voters, 

- The "Enter Voting Site Application" accepts one credential from the 
voter, which is provided in public. In this way it is prevented that 
voters can buy credentials and bring more credentials with them into 
the place where votes are cast. A manual check of the voter identity is 
carried out when the "Enter Voting Site Application" is used- The 
"Enter Voting Site Application" is also responsible for handling and 
logging most exceptions to the normal flow of events (examples: A 
voter identifies himself but has lost his credentials, A voter looses his 
second piece of authentication inside the voting site, A voter changes 
his mind before submitting the paper ballot but after having submitted 
the electronic ballot). 

- The "Voting Application" is the application/machine used for casting 
votes. This can for example he a touch screen machine. The voter 
selects his choices and gives off his second credential that is used for 
having the Signer signing the vote. As a result an electronic ballot and 
a paper ballot are created. The electronic vote is sent on-line to a 
collection point, whereas the voter carries the manual vote out in the 
public sphere, where he enters it into a traditional ballot box. 

- The "Local Check Program'* is a program used for checking the votes 
after the election is finished. (Scanning of information linking paper 
ballots to electronic ballots, checking correspondence with information 
on electronic ballots, checking that the number of paper ballots equals 
the number of electronic ballots and checking a selected number of 
ballots, presumably less than 200, with the corresponding electronic 
ballot.) 

- The "Collection Point* 9 is a server^ which collects votes from at least 
one district and checks syntax and digital signatures on the votes. 

- The S servers are servers holding a share of the private keys of the 
election. They re-encrypt and permute votes and generate a non- 
interactive zero-knowledge proof that they have done the job cotrectly. 

- The S* server performs the last part of the decryption and provides a 
non-interactive zero-knowledge proof of correctness of the decryption 
of each individual vote. 

- The ''Key Generation Application" i$ an off-line application operated 
under particularly stringent security measures used prior to the election 
for generating key pairs of the election (crypto system, commitment 
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sy$tem). The public keys and private key parts are distributed to the 
relevant entities, Notice that the S servers should be operated by 
different organizations/persons in order to ensure secrecy of votes. 




We describe a realisation below that is optimized for performance and security in the 
sense that petfonnance-demanding generation of zero-laiowledge pix>ofs is done at the 
election sites and verification is scalable, such that all zero-laiowledge proofs can be 
verified before the m$ult is publi$hed: 
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We briefly describe the individual components: 

- The registration facility is a public sector system for keeping track on 
the eligible voters. The registration facility interfaces with the Signer 
for registering voters for the system, 

- The Signer is the signature server referred to above, which is used for 
keeping track on voter credentials and voter identities in the voting 
system and for signing electronic votes* When voters are registered on 
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the Signer, the Signer registers them at a CA for certification. The 
Signer further sends credentials to the voters and make available 
functions fox disabling voters who cease to be eligible or loose thejx 
credentials. 

The CA issues certificates on voters. 
• The "Enter Voting Site Application" accepts one credential from the 
voter, which is provided in public, In this way it is prevented that 
voters can buy credentials and bring more credentials with mem into 
the place where votes are cast. A manual check of the voter identity is 
carried out when me "Enter Voting Site Application" is used. The 
"Enter Voting Site Application" is also responsible for handling and 
logging most exceptions to the normal flow of events (examples: A 
voter identifies himself but has lost his credentials, A voter looses his 
second piece of authentication inside the voting site. A voter changes 
his mind before submitting the paper ballot but after having submitted 
the electronic ballot). 

The "Voting Application" is the application/machine used for casting 
votes. This can for example be a touch screen machine. The voter 
select his choices and gives off his second credential. As a result an 
electronic and a paper ballot are created. A non-interactive zero- 
knowledge proof of correctness of the electronic vote is attached to the 
electronic vote. The electronic vote is signed by the Signer using the 
second credential of the voter. The electronic vote is sent on-line to a 
collection point, whereas the voter carries the manual vote out in the 
public sphere, where he enters it into a traditional ballot box. 
The "Local Check Program" is a program used for checking the votes 
after the election is finished. (Scanning of information linking paper 
ballots to electronic ballots checking correspondence with information 
on electronic ballots, checking that the number of paper ballots equals 
the number of electronic ballots and checking a selected number of 
ballots, presumably less than 200, with the corresponding electronic 
ballot.) 

The "Collection Point" is a server, which collects votes from at least 
one district and checks syntax and digital signatures on the votes. 
The S servers are servers holding a share of the private keys of the 
election. They re-encrypt and permute votes (zero-knowledge proofs 
and the signature are removed), 

The S» server performs the last part of the decryption and provides a 
proof of correctness of the decryption of each individual vote. 
The "Key Generation Application" is an off-line application operated 
under particularly stringent security measures used prior to the election 
for generating key pairs of the election (homomorphic crypto system, 
homomorphic commitment system and homomorphic verification 
system). The public keys and private key parts (secret shared in two 
different ways) are distributed to the relevant entities. Notice that the S 
servers should be operated by different organizations/persons in order 
to ensure secrecy of votes. 

The V servers are used for verifying zero-knowledge proofs on the 
individual votes. Notice that one of the schemes for write in candidates 
aHow tor no V servers. This however has the disadvantage (as in all 
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schemes involving depersonalization of votes only) that votes filled in 
ways that should not be allowed by the software of the Voting 
Application cannot be traced back to their origin. With V servers in 
place votes with invalid zero-knowledge proofs can be linked to the 
identity of the voter. Therefore there is a significant role to play for V- 
servers. 

The 4ff Hpmomorphic Count" is a server where votes with valid zero- 
knowledge proofs are counted. Further, write-in votes and the 
electronic version of the information linking electronic and paper 
ballots can be taken in to do a fiill verification. In an interaction with a 
trusted group of people each holding a secret share of the private keys 
of the election, the result of the election is decrypted, A complete audit 
trail with zero-knowledge proofs that everything has been done 
correctly is produced and stored/exported for external audit, 
The TS servers are threshold servers, applications that allow the key 
share holders to use their key shares for decrypting the result of the 
election. 

The "External Audit Facility" is a facility that checks that the steps 
carried out by the V server and the homomorphic count were 
performed correctly. 



Please notice that not all relevant arrows are included in the drawing, For example 
arrows with origin at the key generation server have been left out for simplicity. 
Further, feed-back is helpful in a number of situations in order to deal with error and 
fraud situations. For example feed-back from the V-servers to the collection point is 
preferable in the case, where there are votes with valid content but invalid zero- 
knowledge proofs. 

A special variant of a user interface to the local check program will also be claimed 
and an embodiment is described below: 

- The container for collecting ballots is separated into two or more physical 
containers. 

- "When the voter wants to submit his vote he physically interacts with the device 
resulting in the device bringing itself in a mode, where it i$ possible for the voter to 
enter his ballot in at least one of the containers but not both/all, 

- The ballots entered into one/some of the containers will be subjected to checks 
against the electronic ballots, possibly different types of checks depending on the 
container, whereas the ballots entered into entered into (the) other container(s) will 
not be checked against electronic ballots. 
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A more sophisticated version of such a device is also possible. In addition to a button 
to press for entering a ballot a scanner is available. The procedure is as follows: 

- The voter presses the button (or in another way makes aware that the device must 
make its choice). 

- The device indicates which slot will be opened, for example by lightening up the slot 
to be opened. 

- The voter uses a scanning device to scan the information on his ballot linking it to an 
electronic ballot. 

- The device opens the slot indicated. 

- The voter enters his vote. 

In this way the manual ballots will all be processed during the election with exception 
of the readmg of the content of ballots to be checked. This simplifies the step after the 
election is over to actually enter the content of the ballots to be checked. 

The two steps, first pressing the button, then scanning die ballot, are there to ensure 
tnat it win be impossible for the electronic voting system to signal to the device in a 
reliable way, which ballots shall not be checked. 
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In order to apply this scheme it is preferable to form the ballots in a way such that the 
information linking them to electronic ballots can be scanned without revealing the 
content of the ballot This can be done by having the information linking the physical 
and electronic ballots written on the back side of the physical ballots near the top ot 
the bottom of the ballot. 



Text to scan 




Voters choice 



Ballot with scannable text field. 
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Full Accountability 



When the election is over a lot of options are available for verification and fine 
Counting, providing full accountability of the system: 

1) Verifying correctness of the verification and counting by an independent 
organisation using independent software. This is standard universal 
verifiability carried out at the "External Audit Facility". 

2) Verifying the Signer log against the votes. In particular verifying that there is 
no systematic double signing. Voters who have signed more than once can be 
double-checked for, whether they got the permission (log from "Entry 
Election Application"), 

3) Selecting an adequate number of randomly chosen depersonalized votes for 
the whole country (a predetermined number, for example about 459 (or more) 
in our proposed solution). Do a test that each of those votes corresponds to a 
manual vote by a manual procedure in election districts. 

4) For each district, selecting an adequate number of randomly chosen votes (a 
predetermined number, for example about 194 in our proposed solution). Do a 
test that each of those votes corresponds to a manual vote by a manual 
procedure in election districts. In contrary to 3), this work can be distributed 
over months (however, in the example embodiments given, it is done just after 
the election or even in parts during the election). 

If 1H) are all successful and no other factors indicate that there is increased risk that 
this election has been tampered with, it will be natural to stop here, If however, one of 
the tests 2$ not successful,, a number of steps can be taken. 

5) Electronic logs from voting sites can be compared to central logs from the 
Signer and me counting tecilities. The result of this comparison may give an 
indication about, in which parts of the country a closer investigation shall take 
place. 

6) Selected or all districts oan perform a manual recount. 

7) Selected or all districts can perform an extended manual recount involving the 
following: AU electronic votes cast in the district are depersonalized in a MIX 
net. Each electronic vote is matched with a printed ballot. 

8) In districts where the abovementioned pairing of electronic and manual votes 
can not be performed with sufficient success, a new election may be called for 

9) It is also possible with the help of highly trusted persons holding shares of the 
Key used for decrypting the result of the election, to call in voters and have 
their votes decrypted such that they can judge about, whether fraud has taken 
place in the manual or the electronic system. 




Conclusion 

We observe that with the embodiments of the system proposed, benefits of several 
kinds can be achieved: 
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- Cost savings: For elections carried out in an orderly fashion, costs for 
counting can be limited significantly by having few locations, where 
counting takes place and counting votes almost 100% electronically. 

- Increased services to voters! If die system is designed to do so, voting 
from arbitrary voting sites for each voter is possible because 
everything is electronic 

- Security: If the result of an election is disputed, there is much better 
accounting that in a manual election because the printed ballots can be 
compared to the electronic ones to establish which ballots have been 
tampered with. 



Not all embodiments are optimal on each individual category, for example Internet- 
voting systems without security features build in optimize the first two while 
completely sacrificing the third. However, we describe a good compromise and leave 
a lot of room for election organisers to select just the solution that meets their 
requirements optimally. For example the scheme described is compatible with having 
Internet-voting also for selected categories of voters, like voters living abroad. 
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CLAIMS 



What is claimed is: 

1. A voting system feature comprising: at least one device used for voting entering 
preferably (the $arae or associated information) on a printed ballot and an encrypted 
electronic ballot linking the two to each other; preferably. Each voter will be allowed 
to watch the content of the paper ballot to verify that it contains his choices 
preferably At least one instance making available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to Hie public or to 
selected entities; preferably. A procedure selecting a random sample of electronic 
ballots and verifying that their content correspond to the content of corresponding 
paper ballots with the purpose of establishing confidence that the electronic ballots 
have not been subjected to large-scale tampering. 

2. A voting system feature comprising: at least one device used for voting entering 
preferably (the same or associated information) en a printed ballot and an encrypted 
electronic ballot unking Hie two to each other; preferably. Each voter will be allowed 
to watch the content of the paper ballot to verify that it contains Ms choices 
preferably. At least one instance making available depersonalised clear-text electronic 
ballots with their information linking them to printed ballots to the public or to 
selected entries; preferably. A procedure selecting a random sample of electronic 
Ballots and verifying that their content correspond to the content of corresponding 
paper ballots with the purpose of establishing a deterrent against tampering with the 
voting device m mdividnal election districts. 

«ntilT? n C ! f ° r llectin .S ballots comprising: two or more containers for collecting 
ailed .ballots and a user interface allowing a voter to make aware of his intention to 
submit his ballot arranged in such a way that it is decided at random at the time of 
banot submission whether ballots shall be checked. This works in the way that it is by 
mechanical means ensured that ballots selected for checking at random are entered in 
a particular subset of containers. 



wMumnaaon or permuting and partial decryption of homomorphically encrypted 
messages and preferably the non-interactive versions of the protocol obtained by 
using the Fiat-Shamir heuristic. oy 

mwSSfS? * 0 r Ca ™ tMt s y stem performs efficiently by making use of 
subgroups of Zn* for the message space and/or the randomization space. 

^rt^!°^r priS ^ S V USe of a J» onao ^hic verification system for verifying the 

i, of ^ $ ^ Permuting and re-encrypting and finally 

decrypting homomorphically encrypted content y 

L^T^f^-^ USe ° f 3 homom ^Hc verification system for verifying the 

«vf^r t t m V ° teS ° btained Permuting and re-encrypting 

and finally decrypting homomorphically encrypted votes. S 
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8* A protocol comprising: use of a homomorphic verification system for verifying the 
correctness of the information linking electronic and printed ballots obtained by 
topeatedly perorating and re-encrypting and finally decrypting homomoiphicaliy 
encrypted votes. 
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